Delegated Crowd directory without LDAP Group

1- I'm new to crowd. We have lots of group in LDAP directory that uses for OS security group and I don't want to use them in Atlassian applications. I create a LDAP connector that bring every users and groups from Microsoft LDAP and I create a Delegated Directory in order to import users from LDAP to I need to have a Delegated LDAP Directory in crowd without that groups. Is it possible to change the configuration of Crowd Directory to achieve this?2- If I have new users in LDAP directory, How I can sync them with Delegated directory?

1 answer

1 accepted

If your main concern is not to import the AD groups in Crowd, you actually have two options.

1st option: Create a (single) LDAP connector directory and edit the group object filter in the configuration tab so as to fetch only Atlassian applications groups

2nd option: Create a (single) Delegated authentication directory and then manage your Atlassian applications groups locally in this Crowd directory. You do not need manual synchronisation for new AD users. As detailed in the documentation:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory

For instance, if you enter the following value, you will only get the AD groups whose name starts with jira:

(&(objectCategory=Group)(cn=jira*))

2nd option: That's because you created an LDAP connector directory in addition to the Delegated Authentication directory. You just need one single directory (the Delegated Authentication one). If you do not want anything related to AD groups in this directory, please also disable Synchronise group memberships in the connector tab.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

But I didn't understand 2nd Option, I have a Microsoft Active Directory in our organization, If I define a delegated connector, how I can import Active Directory users without defining and LDAP Connector in Crowd?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

I do that, but I didn't see any user in Delegated directory even it's connector setup correctly. If I didn't see the users, I can't manage groups and permissions in JIRA and Confluence.I repeat that I'm so sorry, If I'm not clear with your comment, as I said I didn't use crowd before. If you can please explain more about group and users while using delegated directory, any way I accept your answer and Thanks for your help.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

So I now understand. I authenticate my user in an application connector (see screenshot) and after that I see my user in new Delegated LDAP directory.

Last ambiguity is this sentence,"If a user logs in successfully via LDAP authentication", where the user should authenticate in order to show in Delegated directory list, I try my user with Windows log on authentication but I didn't see my user in crowd after that, but "Authentication Test" in application part of Crowd work for me according to attached screenshot

crowd.JPG

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

That's right, you have to authenticate on your application, for instance Jira.

You might also want to be aware of a bug that has not been fixed yet by Atlassian in JIRA https://jira.atlassian.com/browse/JRA-39085 and Confluence https://jira.atlassian.com/browse/CONF-23957 at the time of writing. For newly created users, you will actually need to login as an administrator in JIRA and Confluence and manually synchronise the local user database with the Crowd server. As far as I know you should not face the same issue in other Atlassian products.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.